diff --git a/packaging/systemd/wesnothd.service.in b/packaging/systemd/wesnothd.service.in index 6ef940abd928..e4a5699823db 100644 --- a/packaging/systemd/wesnothd.service.in +++ b/packaging/systemd/wesnothd.service.in @@ -1,22 +1,34 @@ [Unit] Description=Wesnoth@BINARY_SUFFIX@ Multiplayer Server Daemon +Documentation=https://www.wesnoth.org/wiki/ServerAdministration Documentation=man:wesnothd(6) After=network.target -# other wesnothd installations use the same port by default +# Other wesnothd installations use the same port by default # Conflicts=wesnothd-1.12.service wesnothd-1.10.service [Service] +# If wesnothd is started from within the game it runs under a different user +# Deleting the pipe resets owner, group and mode +ExecStartPre=/bin/rm -f @FIFO_DIR@/socket + ExecStart=@CMAKE_INSTALL_FULL_BINDIR@/wesnothd@BINARY_SUFFIX@ -t 2 -T 5 -# you can use -c to specify the same configuration file +# You can use -c to specify the same configuration file # which is used when starting wensothd from within the wesnoth UI +# e.g. -c /home/user/.local/share/wesnoth/1.14/lan_server.cfg # (and make sure wesnothd has the required access permissions) -ExecStopPost=/usr/bin/rm -f @FIFO_DIR@/socket + +ExecStopPost=/bin/rm -f @FIFO_DIR@/socket + SyslogIdentifier=Wesnothd@BINARY_SUFFIX@ +WorkingDirectory=@FIFODIR@ +User=nobody +Group=users # Additional security-related features -# (when using the -c option, do not use the Protect options) +# (when using the -c option, do not use ProtectHome) ProtectHome=yes -ProtectSystem=full +ProtectSystem=strict +ReadWritePaths=@FIFO_DIR@ PrivateTmp=yes PrivateDevices=yes NoNewPrivileges=yes @@ -28,6 +40,7 @@ ProtectControlGroups=yes ProtectKernelTunables=yes ProtectKernelModules=yes RestrictNamespaces=yes +LockPersonality=yes [Install] WantedBy=multi-user.target diff --git a/packaging/systemd/wesnothd.tmpfiles.conf.in b/packaging/systemd/wesnothd.tmpfiles.conf.in index 5e7bb6889b45..a446d5a9ba04 100644 --- a/packaging/systemd/wesnothd.tmpfiles.conf.in +++ b/packaging/systemd/wesnothd.tmpfiles.conf.in @@ -1 +1 @@ -d @FIFO_DIR@ 0700 root root - +d @FIFO_DIR@ 0700 nobody users -